How to use Apache APIs IX CSRF security plug-in to intercept cross site forgery attacks

CSRF (Cross Site Request Forgery), that is, cross site request forgery. The key point of launching cross site request forgery attack is to make the target server unable to distinguish whether the source of many requests is a real user or an attacker. The general process of attack is as follows: first, the attacker will induce the user to navigate to the web page provided by the attacker. This page contains a request that is automatically sent to the target server. Then the web page loads normally, and the request will be automatically sent to the server. As like as two peas, the request is exactly the same as the normal request from the server. It is not known that the attacker launched the attacker but the user did not know it. Because the request carries some credentials of the user, the attacker can obtain the user information by parsing these credentials, resulting in security risks.

This article introduces the csrf security plug-in csrf of Apache APIs IX, and explains in detail how to use the csrf plug-in to protect your API information security in Apache APIs IX.

Plug in introduction

The csrf plug-in is implemented based on the Double Submit Cookie scheme. according to RFC 7231#section-4.2.1 We call these three methods: HEAD, option and security. According to this agreement, the csrf plug-in will directly release these three methods, but will check other methods and intercept unsafe requests.

In order to resist CSRF attack, we need to create a token or identifier that cannot be forged, and ensure that it will not be sent together with the attacker's request. The user needs to carry the token that the CSRF plug-in depends on in the request header, and the token uses the key for signature calculation. This ensures that the token cannot be forged by others, thus ensuring the security of the API.

[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-yyzwlqqv-1645607360060)( https://tfzcfxawmk.feishu.cn/...)]

After the csrf plug-in is opened in the route, all request responses accessing the route will contain cookies carrying csrf token s.

The user needs to carry this Cookie in the insecure request for this route, and add additional fields in the request header to carry the contents of the Cookie. The field is the name value in the plug-in configuration, so that the request can pass the verification of CSRF plug-in.

The user provides a random key in the configuration of the plug-in. The plug-in uses the key to sha256 hash encrypt the token information, and then generates a CSRF token to ensure that the token cannot be forged.

How to use

Configure and enable the routing of CSRF plug-in

Create a route and enable the csrf plug-in by using the Admin API in Apis IX:

curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
  "uri": "/hello",
  "plugins": {
    "csrf": {
      "key": "edd1c9f034335f136f87ad84b625c8f1"
    }
  },
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "127.0.0.1:9001": 1
    }
  }
}'

There are three configuration items for plug-ins:

  • Key: required item, the value of random secret key. The user needs to provide a random key.
  • expires: optional item. The expiration time of the random key. The default value is 7200 seconds. Since the CSRF token is distributed to the client using a Cookie, the configuration will be placed in the Cookie configuration to control the expiration time of the Cookie. In addition, the time will be calculated inside the plug-in to determine whether the token has expired.
  • Name: optional item, the name of CSRF token. The default value is apifix CSRF token.

Send request test

First, use the POST request to access the route:

curl -i http://127.0.0.1:9080/hello -X POST

Apache apisid intercepts the request and returns a 401 error. In the returned header, it will be found that a Cookie is set. If the name field of the plug-in is not configured, the internal value of the Cookie should be the default value apifix CSRF token =. This is the CSRF token generated by the CSRF plug-in. In the request, you need to ensure that the request carries the Cookie and write the token in the request header.

HTTP/1.1 401 Unauthorized
Set-Cookie: apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44MG9ldz0ifQ==;path=/;Expires=Mon, 13-Dec-21 09:33:55 GMT
{"error_msg":"no csrf token in headers"}

Example of client using JavaScript: use js cookies to read cookies and use axios to send requests.

const token = Cookie.get('apisix-csrf-token');

const instance = axios.create({
  headers: {'apisix-csrf-token': token}
});

If the token in the Cookie is inconsistent with the token in the request header, the request will be intercepted by the csrf plug-in, as shown in the following example:

curl -i http://127.0.0.1:9080/hello -X POST -H 'apisix-csrf-token: differenteyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44MG9ldz0ifQ==' -b 'apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44MG9ldz0ifQ=='
HTTP/1.1 401 Unauthorized
Set-Cookie: apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44MG9ldz0ifQ==;path=/;Expires=Mon, 13-Dec-21 09:33:55 GMT
{"error_msg":"csrf token mismatch"}

Finally, use curl to verify normal access:

curl -i http://127.0.0.1:9080/hello -X POST -H 'apisix-csrf-token: eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44MG9ldz0ifQ==' -b 'apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44MG9ldz0ifQ=='
HTTP/1.1 200 OK

The plug-in internally needs to verify whether the token in the Cookie is consistent with the token carried in the request header, and recalculate the signature to verify whether the token is valid.

Disable plug-ins

Remove the relevant configuration information of the csrf plug-in, and then send a request to update the route to deactivate the plug-in.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
  "uri": "/hello",
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "127.0.0.1:1980": 1
    }
  }
}'

summary

This paper describes the working mode and use method of CSRF plug-in in detail. It is hoped that this paper can make you have a clearer understanding of using plug-in to intercept CSRF attacks in Apache APIs IX, which is convenient for application in practical scenarios.

Keywords: security gateway csrf Open Source apisix

Added by coollog on Wed, 23 Feb 2022 12:02:46 +0200